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(57) Abstract 

The present invention is a method and 
apparatus for providing cryptographically se- 
cure algebraic key establishment protocols 
that use monoids and groups possessing cer- 
tain algoritiunic properties. Special fast al- 
gorithms associated with certain monoids and 
groups are used to optimize both key agree- 
ment and key transport protocols. The crypto- 
graphic security of the algorithm is based on 
the difficulty of solving the conjugacy prob- 
lem in groups and other known hard algebraic 
problems. Braid groups and their associated 
algorithms are the basis for highly rapid key 
agreement and key transport protocols which 
employ modest computational resources. 
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A METHOD AND APPARATUS FOR CRYTOGRAPHICALLY 
SECURE ALGEBRAIC KEY ESTABLISHMENT PROTOCOLS 

Inventors: Iris Anshel, Michael M. Anshel, Dorian Coldfeld 

BACKROUND OF THE INVENTION 

1. Field of the Invention 

The invention relates to algebraic key establishment protocols for cryptographic appli- 
cations. 

2. Description of the Prior Art 
Key Establishment Protocols 

The concepts, terminology and framework for understanding cryptographic key estab- 
lishment protocols is given in Alfred J. Menezes, Paul C. van Oorschot, and Scott A. 
Vanstone, "Handbook of Applied Cryptography," CRC Press (1997), pages 49(M91. 

A 'protocol' is a multi-party algorithm, defined by a sequence of steps specifying the 
actions required of two or more parties in order to achieve a specified objective. 

A 'key establishment' protocol is a protocol whereby a shared secret becomes available 
to two or more parties, for subsequent cryptographic applications. 

A *key transport' protocol is a key establishment protocol where one party creates or 
obtains a secret value, and securely transfers it to the other participating parties. 

A *key agreement' protocol is a key establishment protocol in which a shared secret is 
derived by two (or more) parties as a function of information contributed by, or associated 
with, each of the participating parties such that no party can predetermine the resulting 
value. 

A *key-distribution* protocol is a key establishment protocol whereby the established 
keys are completely determined a priori by initial keying material. 

A * dynamic' key establishment protocol is one whereby the key established by a fixed 
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pair (or subset) of the participating parties varies oa subsequent executions. Dynamic Ley 
establishment protocols are also referred to as 'session' key establishment protocols, and 
it is usually intended that these protocols are immune from known-key attacks. 

The Diffie-Hellman key agreement protocol (also called 'exponential key exchange") is 
a fundamental algebraic protocol. It is presented in W. Diffie and M. E. Hellraan. "New 
* Directions in Cryptography," IEEE Transaction on Information Theory vol. IT 22 (No- 
vember 1976), pp. 644-654. The Diffie-Hellman key agreement protocol provided the first 
practical solution to the key distribution problem, allowing two parties, never having met 
in advance or sharing keying material, to establish a shared secret by exchanging mes- 
sages over an open channel. The security rests on the intractability of the Diffie-Hellman 
problem and the related problem of computing discrete logarithms in the multiplicative 
group of the finite field GF(p) where p is a large prime, cf. Alfred J. Menezes, Paul C. 
van Oorschot, and Scott A. Vanstone, 'handbook of Applied Cryptography," CRC Press 
(1997), page 113. 

A key establishment protocol is said to have 'perfect forward secrecy* if compromise of 
long-term keys does not compromise past session keys. The idea of perfect forward security 
is that previous traffic is locked safely in the past. It may be provided by generating 
session keys by Diffie-Hellman key agreement, wherein the Diffie-Hellman exponentials 
are based on short term keys. If long-term secret keys are compromised, future sessions 
are nonetheless subject to impersonation by an active adversary (cf. Alfred J. Menezes, 
Paul C. van Oorschot, and Scott A. Vanstone, "Handbook of Applied Cryptography," CRC 
Press (1997), page 496). 

'Point-to-point key update* techniques based on symmetric encryption would make use 
of a long-term synmietric key K shared a priori by two parties A and B, The Diffie- 
Hellman key agreement protocol allows for the establishment of such a K. Thus, the 
Diffie-Hellman key agreement protocol together with the symmetric encryption system 
provide the primitives in specifying a key transport protocol (cf. Alfred J. Menezes, Paul 
C. van Oorschot, and Scott A. Vanstone, "Handbook of Applied Cryptography," CRC 
Press (1997), page 497). 
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Combinatorial Group Theory 

The definition of a monoid is given in Serge Lang, "Algebra." Third Edition. Addison- 
Wesley Publishing Company Inc. (1993), page 3. 

QUOTE 

Let 5 be a set. A mapping 5x5 — ► S is sometimes called a law of composition (of 
5 into itself). If x,y are elements of 5, the image of the pair (x,y) under the mapping is 
also called their product under the law of composition, and will be denoted xy. . . 

Let 5 be a set with a law of composition. If x, y, z are elements of 5, then we may form 
their product in two ways: (xy)z and x(yz). If {xy)z = x{yz) for all i,y,z in S then we 
say that the law of composition is associative. 

An element e of 5 such that ex = x = xe for all x € 5 is called a unit element. 
A unit element is unique, for if e' is another unit element, we have c = ce' = e' by 
assiunption. In most cases, the unit element is written simply 1 (instead of c). . . 

A monoid is a set G, with a law of composition which is associative, and having a imit 
element (so that in particular, G is not empty). 

UNQUOTE 

The definition of a group is given in Serge Lang, "Algebra." Third Edition, Addison- 
Wesley Publishing Company Inc. (1993), page 7. 
QUOTE 

A group G is a monoid, such that for every element x € G there exists an element 
y € G such that xy = yx = e. Such an element y is called an inverse for x. Such an 
inverse is imique. . , We denote this inverse by x~^ 

UNQUOTE 

Tbe basic reference for concepts, terminology, and historical framework in combinatorial 
group theory is the monograph by Bruce Chandler and Wilhelm Magnus, *The history of 
combinatorial group theory: a case study in the history of ideas," Springer- Verlag (1982). 
We quote firom page 3: 

3 
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QUOTE 

Combinatorial .group theory may be characterized as the theory of groups which are 
given by generators and defining relations, or, as we would say today, by a presentation. 
UNQUOTE 

The following problems were posed by M. Dehn in 1911. We quote from the monograph 
by Bruce Chandler and Wilhelm Magnus, **The history of combinatorial group theory: a 
case study in the history of ideas," Springer- Verlag (1982), page 19. 

QUOTE 

The Word Problem (called Identitaetsproblem by Dehn) Let an arbitrary element 
of the group be given through its buildup in terms of the generators. Find a method to 
decide in a finite niunber of steps whether this element equals the identity element or not. 

The Conjugacy Problem (called Transformationsproblem by Dehn) Any two elements 
S and T of the group are given. Find a method to decide whether S and T are conjugate, 
i.e. whether there exists an element U of the group which satisfies the relation S = UTU"^. 

UNQUOTE 

The comparison form of the word problem can be stated as follows: 

Comparison Form of the Word Problem Let u, v be any two elements of the group 
given. Find a method to decide in a finite number of steps whether ti = v. 

Assume that G is a group given by a presentation P(G). Let W(G) denote the set of all 
words in the generators and their inverses given in the presentation of G. The functional 
form of the word problem is to produce a mapping F from W(G) to W{G) such that for 
all u,t; € W{G) it follows that F{u) = F(v) if and only if u,v define the same element of 
G with respect to the presentation P(G). For each element u € W{G) the element F{u) 
is termed the canonical form of u. 

The functional form of the word problem reqiiires an algorithm to produce canonical 
forms. 

The Canonical Form Problem Let it be an arbitrary element of the given group. 
Specify a method to find, in a finite number of steps, a canonical form for u. 

The functional form of the conjugacy problem requires, in addition, an algorithm to 
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actually produce the conjugating element C/. 

Generalized Conjugacy Problem (functional form) Let si, 53, . . . , 5^ be elements 
of a group G. Assume that a € (? is secret and the set of n pairs of elements of the group 
G 

{si, a"^5ia}, {s2, a"^52a}, ... {s„, a^'^Sna} 
are publicly annoimced. Find an algorithm to actually produce such an element a. 

It is self evident that this problem is harder than the original conjugacy problem. It 
has been known for some time that there exist groups with solvable word problem and 
tmsolvable conjugacy problem. For example, in D. J. Collins and C. F. Miller III, *The 
conjugacy problem and subgroups of finite index," Proc. LMS Series 3, 34, (1977), p. 535- 
556) it is shown that there exist finitely presented groups G with solvable word problem 
which contain a subgroup H of index 2 with an unsolvable conjugacy problem. (Of course, 
the word problem for H is solvable.) 

The discrete logarithm problem for a finite cyclic group of order p (a large prime) 
provides a bridge from combinatorial group theory to cryptographic protocols. A finite 
cyclic group of order p can be realized as the set of integers coprime to p modulo p, i.e., 
the finite set of integers {1,2,... ,p-l} which forms a group under multiplication modulo 
p. Given fixed integers a,6€{l,2,...,p-I}, where a is a primitive root modulo p, the 
discrete logarithm problem is to find an integer x (with l<x<p — 1) such that 

6 = a* (mod p). 

Another realization of a finite cyclic group of order p can be specified by a presentation 
with one generator a and one defining relation ssl where 1 denotes the identity element. 
Note that every element g of the group has a unique canonical form g = a' where z is 
an integer between one and p. It is clear that the discrete logarithm problem for a finite 
cyclic group of order p is thus identical to the canonical word problem for this group with 
respect to an arbitrary primitive element a. 

The present invention employs the problems and algorithms of combinatorial group to 
create novel cryptographically secure algebraic key establishment protocols. More specifi- 
cally, the cryptographic security of these protocols depend on the existence of groups with 
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feasible word problem and bard conjugacy problem. Such an approach does not exist in 
the prior art. 

SUMMARY OF THE INVENTION 

It is the primary object of the present invention to provide novel cryptographically 
secure algebraic key establishment protocob based on a key establishment algebraic system 
KEAS. 

Let (U, ^u) denote a monoid whose generating set {ui, U2i • • } is enumerable and whose 
law of composition 

0v : UxU — ► U 

is feasibly computable. Let (V, By) denote another such monoid. A KEAS is a five-tuple 
(U,V,/?,7i,72) where 

i9:UxU — V.7i:Ux V— * V (i = l,2) 

are feasibly computable functions satisfying the following properties. 

(i) For all elements x,yi,y2 6 U 

P{x,0v{yuy2)) = ^v()9(x.yi),i9(x.y2)) 

(ii) For all elements x,y € U 

7i(x,/?(y,i)) = 72(y,/?(x,y)). 

It is an object of the present invention to provide an apparatus which can perform 
monoid multiplication for KEAS. 

It is an object of the present invention to provide a novel algebraic key agreement 
protocol based on KEAS = (U, V,)3,7i,72) where U = V = G is a group. 

It is an object and feature of the present invention to provide a cryptographically secure 
algebraic key agreement protocol whose security is based on the existence of groups whose 
word problem can be solved in polynomial time while no polynomial time algorithm to 
solyp the generalized conjugacy problem is known. 

It is an object and feature of the present invention to provide a cryptographically secure 
algebraic key agreement protocol which is based on the computation of a list of randomly 
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rewritten conjugates in a group, thus reducing the steps and calculations in executing the 
protocol. This allows for easy implementation of the algorithms on low level computing 
devices with table driven modules. 

It is an object of the present invention to provide an algebraic key agreement protocol 
based on KEAS = (U, V,)3,7i,72) where U = V = G is the braid group. 

It is an object of the present invention to provide an apparatus which randomly rewrites 
a word in the braid group in linear time in the word length. 

A key transport protocol is an algorithm, initiated by an input, defined by a sequence 
of steps, which enables one party to securely transfer a key to another party. The key 
transport protocol is said to run in polynomial time if the number of steps required to 
transfer the key is a polynomial in the bit length of the input. If the polynomial is of the 
first degree, the key transport protocol is said to rim in linear time. 

It is an object and feature of the present invention to provide a cryptographically secure 
algebraic key transport protocol based on KEAS which allows for a linear time secure 
transfer of an encrypted key and requires polynomial time decryption of said encrypted 
key. 

It is an object and feature of the present invention to provide a cryptographically secure 
algebraic key transport protocol based on KEAS = (U, V,/?,7i,72) where U and V are 
monoids and U acts on a message space. The key transport protocol is a combination of 
the algebraic key agreement protocol based on KEAS, together with an apparatus which 
efficiently compares members of the message space. This allows for linear time secure 
transfer of an element of the message space and requires a polynomial time algorithm for 
comparison and retrieval of the message. 

It is an object and feature of the present invention to provide a cryptographically secure 
algebraic key transport protocol based on KEAS = (U,V,/3, 71,72) where the message 
space = U = V is the braid group which acts on itself by multipUcation. This allows for 
the linear time secure transfer of an element of the message space (randomly rewritten 
word in the braid group) and requires a polynomial time algorithm to obtain a canonical 
form and decrypt the message. 

7 
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It is an object and feature of the present invention to provide a cryptographically secure 
algebraic key transport protocol based on KEAS = (U, V,)9,7i,72) where the message 
space = U = V is the braid group which acts on itself by conjugation. This allows for the 
linear time secure transfer of an element of the message space (randomly rewritten word 
in the braid group) and requires a polynomial time algorithm to obtain a canonical form 
and decrypt the message. 

It is an object of the present invention to provide a cryptographically secure algebraic 
key transport protocol based on KEAS = (U. V. j3, 71 , 72) where U = V is the braid group 
and the message space is a free group. 

The system according to the invention is particularly suited towards implementation 
using currently available digital technology, commercially popular microprocessor based 
systems, and other affordable digital components. Significant portions of the system may 
be implemented and significant portions of the method according to the invention may be 
performed by software in a microcomputer based system. Moreover the system is quite 
suitable for implementation on emerging computer technologies, e.g., quantum computers. 

BRIEF DESCRIPTION OF THE DRAWTMrs.g 

Fig. 1 shows an exemplary preferred embodiment of an apparatus which performs 
monoid multiplication. 

Fig. 2 shows a i^-fimction module. 

Fig. 3 shows a 71,72-function module.. 

Fig. 4 shows a submonoid generator 

Fig. 5 shows a submonoid random element generator. 

Fig. 6 shows an exchange of public information of an algebraic key agreement protocol 
based on monoids. 

Fig. 7 shows a preferred embodiment of an apparatus which performs the algebraic key 
agreement protocol based on monoids. 

8 
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Fig. 8 shows an exchange of public information of an algebraic key agreement protocol 
based on the braid group. 

Fig. 9 shows a preferred embodiment of a random rewriter for the braid group 

Fig. 10. shows a preferred embodiment of an apparatus which performs the algebraic 
key agreement protocol based on the braid group. 

Fig. 11 shows a preferred embodiment of an apparatus which performs the algebraic 
key transport protocol for monoids. 

Fig. 12 shows a preferred embodiment of an apparatus which performs the algebraic 
key transport protocol for groups. 

DETAILED DESCRIPT ION OF THE PREFERRED EMBODIMENT 
A General Algebraic Key Agreement Protocol 

A preferred embodiment of an apparatus which performs an algebraic key agreement 
protocol based on KEAS will now be described in detaU. The algebraic key-agreement 
protocol requires an apparatus which can perform monoid multiplication. A preferred 
exemplary embodiment of such an apparatus is depicted with block diagrams in figure 1, 
and is described as follows. 

Let (U, 9v) denote a monoid whose generating set {ui , U2 , . . . } is enumerable and whose 
law of composition 

Ov : UxU — > U 

is feasibly computable. The U-Library 11 consists of the set of generators {ui . txj, . . . A 
sequence of indices 10 along with the U-Library 11 is presented to the Sequence Encoder 
12. The Sequence Encoder chooses 12 , Ui, , ... , from the U-Ubrary 11 and presents 
this to the Free Monoid MultipUer 13 which then concatenates the elements to yield the 
output Ui^ • tii, ..-Ui^. The monoid U can be viewed as a quotient of the free monoid 
(generated by the U-Library) modulo a set of rewriting rules. The U-Presentation Code 
14 consists of this set of rewriting rules. The Monoid Rewriter 15 computes the equivalence 

9 
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class of • tiij "'Ui^ modulo the rewriting rules in the U-Presentation Code 14. The 
result is a word in the monoid U. An apparatus which performs the internal binary 
operation of U can now be specified. Given x = Uj^ • uj^ • • • uj^ , and y = txiti • ujt, • • • Ujfe^, 
to obtain the product x • y, simply input the long sequence ji, jo. • • • Ja. ^i, ^2. • . • Jt6 into 
10. The output of the Monoid Rewriter 15 will be x • y. 

A preferred embodiment of an apparatus which performs the algebraic key-agreement 
protocol based on KEAS is depicted in block diagrams in figures 1 through 7. Recall that a 
KE AS is a five-tuple (U, V, 0, 7^ , 72) where U and V are monoids with feasibly computable 
laws of composition and /J,7i,72 are functions satisfying the following properties: 

(i) For alIx,yi,y2€U 

0ixMyuy2)) = ^(/?(x.yx)./3(x.y2)) 

(ii) There exists easUy computable functions 7i : U x V ^ V (t = 1, 2) such that 

7l(a:,/3(y,x)) = 72(y,/?(x,y)). 

Let x,y € U denote the Input 20. The ^-Function Module 21 computes the value of 
/3(x,y). Let u € U, be the Input 30, and let u 6 V be the Input 31. The 7i-E\mction 
Module 32 computes 7i(ti,t;) while the 72-Function Module 32 computes 72(u,t;). 

With the functions /?,7i.72 in place the algebraic key agreement protocol can now be 
described. Given a subset S C U, recall that the submonoid generated by S. denoted 
< S >, is defined to be the smallest submonoid of U which contains S, i.e., 

< S >= n submonoids of U containing S. 

Remark that < S > coincides with the set of all possible products in products of elements 
in the set S, including the empty product (which is the identity element). 

The algebr^c key agreement protocol involves two users, A(Uce) and B(ob). User A is 
assigned a set of distinct elements in U, 

which generate a submonoid of U denoted 

Sa = < 5l|32,... ,Sn > . 

10 
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In the discussion below we utilize functional notation for elements in the monoid U: if 
X is an element in U, i is expressible as a word in the generators of U and we write 

Remark that each Si is expressible as a word in the generators of U: for i = 1, 2, . . . , n. 

Likewise user B is assigned elements {ii, . . . , tm} which generate a submonoid of U denoted 

Tb = < ti»t2. . . . ,tm > • 
Here again each tj is expressible as a word in the generators of U: for j = 1, 2, . . . .m, 

An apparatus for assigning an arbitrary set u/i, ti/j, . . . Wm of m words to a user is de- 
picted in figure 4. The key component of this apparatus is a cryptographically secure 
pseudorandom number generator PRNG. The definition of a PRNG is given m Bruce 
Schheier, ''Applied cryptography protocols,: algorithms, and source code in C," Second 
Edition 1996, John Wiley, page 45, and is well known in the art. In all subsequent discus- 
sions in the preferred embodiment, a PRNG will always refer to such a cryptographically 
secure pseudorandom number generator. 

Let m,Ar > 1 denote integers. Let L = {Li,L2,...Lm} denote a vector of positive 
integers. The Input: m, L 40 together with the Input: Jb 42 is presented to a pseudorandom 
nxunber generator PRNG 41 which creates m lists of integers of lengths Li,L2,.-.Lmt 
respectively; each list {e(i, 1), c(t, 2), . . , , c(f , Li)} (for t = 1, 2, . . . m) consisting of integers 
randomly chosen from the set {1,2,... ,fc}. These lists, together with the U-Library 11 
are then presented to the Sequence Encoder 12 whose output goes to the FVee Monoid 
Multiplier 13. The output of the FVee Monoid Multiplier 13 is then sent to the Monoid 
Rewriter 15 into which the U-presentation code has already been presented. The final 
output is wuW2,... ,Wm which creates a User Submonoid Generator Library 43 and then 
sent to the User Submonoid Store and Forward Module 44. 

The process of key exchange begins with both users choosing secret elements in their 
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respective submonoids, 

a€ Sa, .o = a(si,52,... ,5n) 
6 6Tb. 6 = 6(ti,t2.... ,tm)^ 

This is depicted in figiire 5. Let L,m denote positive integers. The Input: L 50 
together with the Input: m 52 is sent to a pseudorandom number generator PRNG 51 
which randomly chooses I' < L positive integers ei, e2, . . . , cr.* such that each Ci < m (for 
X = 1,2,...L'). This sequence of randomly chosen integers is presented to the Sequence 
Encoder 12 which also receives the Input of the User Submonoid Generator Library 43 
which consists of ti;x,ti;2,i£;3,... The Sequence Encoder 12 then chooses ti;^^,!!;^,,.,.!!;^^, 
and presents this to the Submonoid Multiplier 54 which computes the product a = u/^^ • 
ti/ea • • • and sends it to the User Private Element Store and Forward Module 55. 

User A now transmits the Input 60 

^It • • • iSji 

(where each 5j is a word m the generators of U) via the Communication module: Transmit 
and Receive 62, and user B transmits the Input 61 

via the Conmiunication module: Transmit and Receive 62. The received list {^i , ^2. - . . , im} 
together with Alice's secret key, the Input: a 63 is then forwarded to the /?-Punction Mod- 
ule 23 yieldmg the list 

/?(a,tx).... ,/3(a,t^) 

which is stored in the Store and Forward Module 65. Similarly, the received list {si , 52i . . . , 5n} 
together with Bob's secret key, the Input: 6 64 is then forwarded to the /J-Function Module 
23 yielding the list 

0{b,sx) /?(6,Sn) 

which is stored in the Store and Forward Module 66. 
User A now transmits the Input 70 

/3(a,fx)....,/?(a.U 
12 
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(which was stored b the Store and Forward Module 65) via the Communication module: 
TVansmit and Receive 62, and similarly user B transmits the Input 71 

0{b.si),...,p{b,sn) 

(which was stored is the Store and Forward Module 66) via the Communication module: 
lYansmit and Receive 62. 

The received list ^(6, 5i ), . , . , /3(6, Sn), together with the secret list of integers ei , e2, . . . . e/:* 
generated by the PRNG 51 to produce Alice's secret key 

is presented to the V-Monoid Multiplier 72 which then (using property (i) that 0 satisfies) 
computes the product 

^(6,a)=:^(6,s,J.)g(fc,Se,)-../3(6,s,,,). 

The element /?(6, a) together with the secret key o are sent to the 71-Punction 32 to produce 
the final output 

7i(a,/5(b.a)). 

In a completely analogous maimer, the received list /3(a, ti), . . . , 0{a, t^), together with 
the secret list of integers /i , A , . . . , fi" generated by the PRNG 51 to produce Bob's secret 
key 

is presented to the V-Monoid Multiplier 72 which then (using property (i) that 0 satisfies) 
computes the product 

The element ^(a, 6) together with the secret key 6 are sent to the 72-Function 33 to produce 
the final output 

72(6. /3(a, 6)). 
By property (ii) it inunediately follows that 

7i(a./3(6,a)) = 72(6. /J(a, 6)) 
which is the conomon key exchanged between AUce and Bob. 

13 
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Example 1: 

A first example of an algebraic key agreement protocol of the type detailed above jran 
be obtained by considering the case where U = V = G is a group (a monoid where very 
element has an inverse). In this case the function /?, 

^:G xG— *G 

is chosen to be conjugation: 

i9(Xiy) = x"^y z. 
The functions 71 and 72 are chosen to be 

7iKv) = u^^v 72(tx. v) = v^^ti. 

It is easy to see that properties (i), (ii) hold. 

The asynunetric key agreement protocol in this situation can be described as follows. 
Users A and B publicly choose subgroups 

and secret elements q^Sa and b € 5b. User A transmits the collection of conjugates 

a'^Hi o, 0*^2 a, ... .a'^hm a 
and similarly user B transmits 

b'^si 6, 6-H2 6, ... ,6-^Sn6 
Recalling that the conjugate of the product of two elements is the product of the conjugates 
of those elements, users A and B are now in a position to compute, respectively,, the 
elements 

6~^a 6, a'"^6 a. 

In order to attain a common key, user A now multiplies b'^ab on the left by to obtain 

(a,6]=a-^6-^a 6. 

and user B multiplies a"^6 a on the left by 6"^ to obtain (6, a] and then computes the 
inverse of [6, a] which is [a, 6]. Note that this is consistent with the general system notation 
in that 

(a,6] = 7i(a,/3{6,a)) = 72(6, j9(a, 6)). 

14 
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The fact that there exist groups with solvable word problem and unsolvable conjugacy 
problem, shows that at least in principle, the key agreement protocol for groups may 
be algorithmically unbreakable. In practice, however, one really works with a computer 
with only a finite amount of memory and this is equivalent to working only with words 
of bounded length in the group G. Thus everything is reduced to a finite amount of 
computation, so from this point of view all these problems are decidable. 

The above protocol is secure and feasible provided the group G has a feasibly soU'able 
word problem and hard conjugacy problem. There are many groups, however, where the 
word problem can be solved in polynomial time (in the word length), while at the same 
time, there is no known polynomial time algorithm for solving the generalized conjugacy 
problem (functional form). An illustrative example of such a group is the braid group of 
N symbols. 

The braid group was first systematically studied by Emil Artin, *Theorie der Zopfe," 
Hamb. Abh. 4 (1925), pages 47-72. In that paper, the so called Artin generators 
xi,X2f«Xf/ for the Braid group of N symbols are introduced. They satisfy the rela- 
tions 

XiXj = XjXi, if |j - i| > 2 and 1 < i, j < N 

XiXi^iXi = Xi^iXiXi^if if 1 < I < TV - 1. 

A preferred embodiment of an apparatus which performs the key agreement protocol for 
the braid group is depicted in block diagramus in figures 8 to 10. This apparatus will now 
be described in detail. 

Users A and B wish to exchange keys via public discussion over an insecure chan- 
nel. Fix G to be the braid group on N generators. User A randomly chooses elements 
^i»52i««* i^n 6 G (Input 80) and trsuismits them to user B via the Commimication 
Module 62. Sunilarly, user B randomly chooses elements ti,t2.--. (Input 81) and 
transmits them to user A via the Communication Module 62. It can be assumed that 
si, 52, . - . , 5n, ti, t2, . . . t„ are publicly known. 

The Input: Si, 52, ... ,5n 80 is sent to the Random Word Generator 82 which produces 
a word a which is a secret word in the generators Si,S2.... ,Sn. The process for doing 

IS 
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this is depicted in a more general setting in figure 5. The Input: ii, t2, . . • , 81 is sent 
to the Random Word Generator 83 which produces a word b which is a secret word in 
the generators ti, t2, • . . , tm- The secret word a together with the generators ti, «2, - ■ • i 
are then presented to the Braid Group Conjugation Module 84 which computes the list of 
conjugate elements 

Similarly, the secret word b together with the generators 5i, 5^, . . . , Sn are then presented 
to the Braid Group Conjugation Module 84 which computes the list of conjugate elements 

b'hxb, 6-^526, ... b'^Snb. 

In both cases, these lists are then sent to the Random Rewriter 85 which randomly rewrites 
each word in the list. The randomly rewritten lists are then sent to the Store and Forward 
Modules 86, 87. 

A preferred embodiment of the Random Rewriter 85 is depicted in block diagrams in 
figure 9. The Input: u; 90 is sent to the Free Reducer 91. The Free Reducer 91 searches 
for subwords of the form z x*^ and x'^x in the word w (where x is an arbitrary word in 
the Artin generators of C) and replaces xx*^ and x"^x by the identity element. The Ree 
Reducer 91 freely reduces the word w to produce the (possibly shorter) word W. The word 
W is then presented to the Length Function which computes its length L. The length L 
is then sent to a pseudorandom number generator PRNG 94 which randomly produces an 
integer j (where 1 < j < i) and a bit e which is either 0 or 1. The fi-eely reduced word W 
together with the integer j and the bit e are then sent to the Move and Replace Module 
92 which produces a new word in the following manner. 

Recall that W is a word in the Artin generators xi,X2, . . . ,x// of length L, say W = 
irl *^rl "'^tt where for i = 1,2. ... ,L each Ci = ±1 and n € {1,2, ... , N}, If e = 0 and 
j = 1, halt the process. If c = 0 and j > 1 consider the subword (of length 2 at the j^^ 
position) xtiZl xVj. If |r^-.x - rj\ > 2 replace this subword by irf' x^jlj and set j = j-1. 
Keep repeating untU either j = 1 or |r,..i « r,-| = 1. If (r,.i rj\ = 1, replace the string 
Xr^Zl by a four symbol subword arising firom the Artin relations. The complete list of 

16 
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substitutions is given as: 

Xj Xj+i ► Xj+i Xj Xj+i xj^ 

'jli '7+1 '7* 'i+i 'j 

Xj+i — ♦ Xj+i Xj xj^i 

'7* '7+1 -* 'i+i '7' '7+'i '7' 

Xj+l Xj ► Xj^ Xj+i Xj Xj+i 

Xj+l Xj^ — iTlj Xj Xj+i 

'7+\ 'j 'j *i+i ==7^ '7+S 
'7+1 '7' — * 'i '7+1 '7' '7+1 

In an analogous mftnner if 6 = 1 the ftlgorithzn is the ssme except that one now considers 
the subword xpj xpjXl and set j = j + 1. So if c = 0, move to the left; while if e = 1, move 
to the right sear chin g for two adjacent generators whose indices differ by one. As soon as 
they are fomid, they are replaced according to the substitutions listed above. 

The output W of the Move and Replace Module 92 together with the Input 95 of 
a positive integer k is then sent to the Iterate and Exit Module 96 which iterates the 
above procedure *; times (by sending W back to the Free Reducer 91) and then exits the 
procedure sending its output W to the Free Reducer 91. The final fi-eely reduced word is 
then sent to the Store and Forward Module 97. 

The list a~4ia, a'^taa, . , . a^Hma, which was stored in the Store and Forward 
Module 86 becomes Input 100 and is presented to the Communication Module: TVansmit 
and Receive 62. Likewise the list 6"*si6, 6-^326, . . . b^^Snb, which was stored in the 
Store and Forward Module 87 becomes Input 101 and is presented to the Communication 
Module: Transmit and Receive 62. These lists are broadcast over an insecure channel and 
can be assumed to be publicly known. The received list b^^sxb, b-^S2b, ... 6-^5^6 
together with user A's secret word a are then presented to the Braid Group Multiplier 
102 which computes b'^a 6. The conjugate 6-^0 b together with user A's secret word a is 
sent to the 7i-Punction 103 which computes the final output a'H^^a 6. Correspondingly. 

17 
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the received list a^^tia, a"42a, ... a'^tma together with user B's secret word b are 
then presented to the Braid Group Multiplier 102 which computes a'^b a. The conjugate 
a"^6 a together with user B's secret word 6 is sent to the 72-Punction 104 which computes 
the final output a'^b^^ab which is the exchanged key. 

The total running time of this protocol will be polynomial time in the total bit length 
of the exchanged lists: 

provided the integer k (Input 95, which counts the number of iterations used by the random 
rewriter) is not too large. 

A General Algebraic Key IVansport Protocol 

A preferred embodiment of an apparatus which performs the general algebraic key 
transport protocol will now be described ui detail. It is assumed that two parties A(lice) 
and B(ob) have afready participated in an algebraic key agreement protocol of the type 
described previously (for monoids), so that both A and B are in possession of a common 
key k which is a word in the monoid U. Note that the common key k may be expressed as 
a word in the generators of U in many different ways. Each such expression is contained 
in the same equivalence class of the free monoid modulo the presentation code of U. In 
order to obtain a- unique expression for it is necessary to have a unique canonical form 
for all elements in U. In the key transport protocol which will now be presented, it is not 
assumed that A: is in canonical form. 

The key transport protocol for monoids is based on the action of the monoid on a set 
M which we term the message space. The action of the monoid U on M is a function 

U X M — ► M 

which we denote 

{u,m) u{m) EM 
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for each u € U, m G M, which satisfies the following conditions: 

u{v{m)) = tiv(m), for all u, t; E U and m e M 
l(m) = m, for all m € M. 

A preferred embodiment of an apparatus which performs the key transport protocol for 
monoids is depicted in block diagrams in figure 11. First, a common key 

* = 7i{a./3(fr,a))=72(i),/3(a.6))€U 

is exchanged via the Key Agreement Protocol for Monoids 110 which was previously de- 
picted in figures 6 and 7. Fix distinct elements 

which is Input 112. The key transport protocol is a mechanism which'allows A (the sender) 
to transfer a message 

M€ {Afi,M2,... ,Md} 

to B (the receiver). The message Af Is the.Input III which is sent to the Monoid Action 
113 which computes the action of fc on M which is k{M). The element k{M) is then 
sent to the Communication Module: IVansmit and Receive 62 which transmits k{M) to 
B. 'Concurrently, the Input: Mi, M2,.. . ,Mo € M 112 together with the key k (output 
of the Key Agreement Protocol for Monoids 110) is presented to the Monoid Action 113 
which computes the elements k{Mi),k{M2)f.., tk^Mo)- These elements together with 
k{M) is presented to the Compare and Choose Module 114 which compares them and 
determines which of the Afj for i = 1, 2, . . . , D is actually M. Thus, the message M has 
been transferred from A(lice) to B(ob). 

Note that in this protocol, it is not necessary to compute canonical forms. All that is 
required is an algorithm to decide (Compare and Choose Module 114) if two elements of 
the set M are the same or not. 

In a key transport protocol, the bandwidth is defined to be the number of bits publicly 
exchanged between the two parties (via the Commtmication Module: Transmit and Receive 
62) in order to transmit one bit (shared secret). In this protocol, the bandwidth decreases 

19 



SUBSTITUTE SHEET (RULE 26) 



wo 99/44324 



PCT/US99/04126 



as D increases, but at the expense of an increase in off line computations (Compare and 
Choose Module 114). 

In a binary system such as for digital message transmissions, the input 112 may ue 
arbitrarily selected to be one of two elements Mi or Af2. The monoid action may be 
conducted on the single arbitrary selected element. If the output of the monoid action 113 
matches the input then k{M) may be presumed to represent the selected element. 

If k{M) does not match the output of the monoid action 113, then M is presumes to be 
the non-selected element. 

If our module U is a group G then the basic property of a group (that every element 
has a unique inverse) allows us to present a diflFerent key transport protocol. It is again 
assxmied that two parties A(lice) and B(ob) have abready participated in an algebraic key 
agreement protocol of the type described previously (for groups), so that both A and B 
are in possession of a common key k which is a word in the group G. It is not assumed 
that is in canonical form. 

A preferred embodiment of an apparatus which performs the key transport protocol 
for groups is depicted in block diagrams in figure 12. Let it G G, be the common key 
exchanged via the Key Agreement Protocol for Groups 120 which was previously depicted 
in figures 8 and 9. Let Af 6 M be the Input 121. This is sent to the Group Action 
123 which computes k{M) which is transmitted to B(ob) via the Communication Module: 
Transmit and Receive 62. Concurrently, the common key k which is the output of the Key 
Agreement Protocol for Groups 120 is sent to the Inverter 122 which inverts the element 
in the group to produce k'^. The element k'^ together with the received element k{M) is 
presented to the Group Action 123 which computes Jk-^(ik(Af)) = M. This is sent to- the 
Canonical Form Module 124 which computes the canonical form in the message space M. 
Thus the message Af has been transferred fi-om A to B. 

Note that the above key transport protocol' for groups wiU generaUy have low bandwidth 
(provided the bit-length of M is sufficiently large), but the algorithm for canonical forms 
(Canonical Form Module 123) will very often be much more computationally intensive 
than the comparison algorithms (Comparison Module 113). 

20 
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Example 2: 

An example of a key transport protocol for monoids is given when the monoid *U is 
the braid group with N generators (see Example 1), U = M, is the same as the message 
space, and the action is defined by 

u(m) = li • m (braid multiplication) for all ti G U, m 6 M. 

Note that in this example inverses of elements are not required so that G is viewed as 
having only the structure of a monoid. A polynomial time algorithm for comparing words 
in the bradd group is given in Patrick Dehornoy, "A fast method for comparing braids," 
Advances in Mathematics 125 (1997), pages 200-235 auid also in Joan S. Birman, Ki 
Hyoung Ko, and Sang Jin Lee, "A new approach to the word and conjugacy problems in 
the braid groups," to appear in Advances in Mathematics. 

With these choices, the key transport protocol is depicted in figure 11 and Dehomey*s 
or the Birman-Ko-Lee algorithm can be used as a basis for the Compare and Choose 
Module 114. 

Example 3: 

An example of a key transport protocol for groups is given when the group G is the 
braid group with N generators (see Example 1), G = M is the same as the message space, 
and the action is defined by braid group conjugation: 

g{m) = gmg^^, for all 5 6 G, m € M. 
A polynomial time algorithm for computing canonical forms in the braid group is given 
in Joan S. Birman, Ki Hyoung Ko, and Sang Jin Lee, "A new approach to the word and 
conjugacy problems in the braid groups," to appear in Advances in Mathematics. 

With these choices, the key transport protocol is depicted in figure 12 and the Birman- 
Ko-Lee algorithm can be used as a basis for the Canonical Form Module 124. 

Example 4: 

Another example of a key transport protocol for groups is given when G is the braid 
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group with N generators (see Example 1), M is the free group generated by the set 
{ai, . . . , a/v}, and the action of G on M is given as follows (see Emil Artin, "Theorie der 
Zopfe," Hamb. Abh. 4 (1925), pages 47-72): for i = 1. . . . , N, 

Xi{ai) = ttt+i, Xi(a,>i) = a,^\aj Ci+i 
Xi{aj) = aj fori = l,... ,z - 1,1 + 2,... ,N, 
In this instance the algorithm for the Canonical Form Module 124 is simply free reduction 
in the free group M, and the algorithm for Group Action 123 is generally exponential in 
the word length of the acting braid group element. 
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CLAIMS 

1 1. An encryption system comprising: 

2 a monoid key establishment apparatus responsive to an input monoid, a 

3 private element, and a combined input monoid list; 

4 a combinatorial action unit connected to said monoid key establishment 

5 apparatus responsive to an input message and having an encrypted output. 

1 2. An encryption system according to claun 1, wherein said monoid key 

2 establishment system is group based. 

1 3. An enciyption system according to claim 1, wherein said monoid key 

2 establishment system is braid group based. 

1 4. An encryption system according to claim 1, wherein said combinatorial 

2 action unit is a monoid action unit. 

15. An encryption system according to claim 4, further comprising a 

2 comparison module referencing said encrypted output to an encrypted input. 

1 6. An encryption system according to claim 2, wherein said combinatorial 

2 action unit is a group action unit. 
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1 7, An encryption system according to claim 3, wherein said combinatorial- 

2 action unit is a braid group action unit. 

1 8. An encryption system according to claim 6, wherein said combinatorial 

2 action unit further comprises a key inverter. 

1 9. An encryption system according to claim 8, further comprising a canonical 

2 form modulator responsive to said encrypted output. 

1 10. An encryption system according to claim 1, further comprising means for 

2 creating a set of input monoids. 

1 11. An encryption system according to claim 10, wherein said means for 

2 creating a set of input monoids further comprises a monoid processor responsive 

3 to a pseudo random number generator. 

1 12. A key agreement system comprising: 

2 a combinatorial group modulator using a private element to act on a group 

3 of elements associated with a remote system to generate a local combination; 

4 a combinatorial multiplier responsive to a multiplier input and a remotely 

5 generated combination wherein said multipUer input is related to said private 

6 element; and 

7 a key extractor responsive to said private element and an output of said 

8 combinatorial multiplier. 
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1 13. A key agreement system according to claim 12, further comprising: 

2 a combinatorial means for generating a local group of elements; and 

3 a private element generator, wherein said private element is generated 

4 from one or more elements of said local group elements. 

1 14. A key agreement system according to claim 12, wherein said combinatorial 

2 multiplier is a group multiplier. 



1 15. A key agreement system according to claim 12, wherein said combinatorial 

2 group modulator comprises: 

3 a braid group conjugation module; and 

4 a rewriter coxmected to an output of said braid group conjugation module. 

1 16. A key agreement system according to claim 15, wherein said rewriter is 

2 responsive to a pseudorandom number. 

1 17. A key agreement system according to claim 15, wherein said combinatorial 

2 multiplier is a braid group multiplier. 

3 18. An encryption method comprising the steps of: 

4 transforming an input monoid, a private element, and a combined input 

5 monoid Ust into a monoid key wherein said transforming is based on the word 

6 problem for monoids; 
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7 combinatorially acting on said monoid key and an input message to create- 

8 an encrypted output 

1 19. An encryption method according to claim 18, wherein said step of acting 

2 is based on group theory. 

1 20. An encryption method according to claim 18. wherein said step of 

2 combinatorially acting is a monoid action. 

1 21. An encryption method according to claim 20, further comprising the step 

2 of comparing said encrypted output to an encrypted input. 

1 22. An encryption method according to claim 19, wherein said step of 

2 combinatorially acting is a group action based on the conjugacy problem. 

1 23. An encryption method according to claim 17, wherein said step of 

2 combinatorially acting is a braid group action. 

1 24. An encryption method according to claim 22, wherein said step of 

2 combinatorially acting further comprises a key inversion step. 

1 25. An encryption method according to claim 24, further comprising the step 

2 of canonically reformatting said encrypted output. 
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26. An encryption method according to claim 18, further comprising the step- 
of creating a set of input monoids. 



1 27. An encryption method according to claim 26, wherein said step of creating 

2 a set of input monoids further comprises the step of processing pseudo random 

3 numbers into monoids. 

1 28. A method for establishing a key comprising the steps of: 

2 transforming a private element and a group of elements associated with 

3 a remote system into a local combination based on a combinatorial relationship; 

4 combinatorially multiplying a multiplier input and a remotely generated ' 

5 combination wherein said multiplier input is related to said private element; and 

6 extracting a key from said private element and the result of the step of 

7 combinatorially multiplying. 

1 29. A method according to claim 28, wherein said step of combinatorially 

2 multiplying further comprises the step of rewriting the result responsive to a 

3 pseudorandom input 



30. A method for establishing a key according to claim 28, further comprising: 

a step of generating a local group of elements; and 

a step of generating the private element, wherem said private element is 
generated from one or more elements of said local group elements. 
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31. A method for establishing a key according to claim 28, wherein said step- 
of combinatorially multiplying is a group multiplication. 



1 32. A method for establishing a key according to claim 28, wherein said step 

2 of transforming comprises the steps of: 

3 conjugating a combination based on a combinatorial relation by said 

4 private element; and 

5 rewriting, responsive to a pseudorandom process, the result of the step of 

6 conjugating. 

1 33. A method for establishing a key according to claim 32, wherein said step 

2 of combinatorially multiplying is a braid group multiplication. 

1 34. A method for establishing a key according to claim 32, wherein the step 

2 of conjugating is a braid group conjugation. 
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